How TUI Group Strengthened its Third-Party Risk Management

Written by

Third-party risk management (TPRM) is a top priority for ensuring a business remains secure. It is especially challenging for those who have onboarded new legal entities through an acquisition or find themselves working with several legacy suppliers in a multi-faceted organization.

Sam Watling, Head of Critical Asset Security, TUI Group, spoke to Infosecurity Magazine about some of the challenges a company of over 60,000 employees has when it comes to cybersecurity and the approach his team has taken to TPRM in recent years. 

Infosecurity Magazine: What are the biggest like security challenges a company like TUI faces?

Sam Watling: Well TUI is quite big, we have around 62,000 employees at the moment and the workforce is diverse and dispersed. We have people sitting in offices, contact centres, retail stores as well as aircraft crew, pilots, staff at airports alongside employees working on cruise ships and in hotels.

The biggest challenge for us is getting the training and awareness messages right for that range of individuals. As we all know it only takes one click to get a bit of malicious software downloaded to cause significant network issues.

Also, TUI is a relatively old organization that is formed of lots of travel organizations that have merged over the years. With so many different legal entities we’ve got a lot of legacy suppliers as well as working practices that have not been well integrated.

This means third-party risk management and corralling all of those hundreds of suppliers that we use is a significant issue.

We don’t have vast quantities of financial data but we have got a large quantity of customer data, as you might expect.

We have over 16 million customer records. Obviously, with all of the different legal entities involved, we've got to make sure that that customer data is controlled in a sensible way because ultimately, our customers trust us to look after their data.

IM: Regarding TPRM, what issues were you looking to overcome when you began working with SecurityScorecard? How did their approach help?

SW: As an organization we identified that we had a problem with how much effort we needed to put into making sure any new suppliers we used were secure. From a resource perspective, we didn’t have enough people to deal with the mass of new suppliers the organization wanted to use.

“We didn’t have enough people to deal with the mass of new suppliers the organization wanted to use.”

My first use case for a product like SecurityScorecard was very much to help me triage. I had a big funnel of suppliers and wanted to know which ones we needed to pay more attention to. A ratings platform was an obvious way for us to do this.

For those suppliers that came up above a certain grade we could be relatively happy with them and have a bit more of a light-touch approach. For those that scored poorly we put more resources towards assessing those suppliers.

The tool was simple to use, easy to understand and the licensing model was a benefit as it meant I didn’t have to buy too much to be able to fill out that first use case.

The journey then grew organically as colleagues started to see what the tool could do.

At one point, data appeared on the dark web that looked like it could belong to TUI, and it was SecurityScorecard that flagged that to us by a decreasing score for ourselves. That triggered a project to try and improve TUI’s score.

Overall, of course it doesn’t tell us everything we need to know about our suppliers and our third-party risk, but it is a very strong indicator. It is a signal that helps us.

“We’re outsourcing more than we ever used to.”

Although over the COVID pandemic we were forced to furlough a lot of our staff, we did not stop our digital transformation – even whilst we weren’t taking anyone on holiday. One of the tasks required to meet our Minimum Viable Product was for each of our technology services to tell us who their critical suppliers were to drive them to put a bit of thought behind their third parties.

We ended up with a long list of suppliers we thought we should track and that triggered an enhanced use of SecurityScorecard. 

IM: Do you think supply chain security has become more challenging in recent years or is it an issue that has always been there?

SW: It’s always been there but I think we are paying more attention to it now because of some significant supply chain breaches like the BA loss of cardholder information in 2018. This was the result of inappropriate code committed on one of their websites. I think nowadays with so much code development happening by importing external libraries that are maintained by third parties, there’s much more reliance on third parties. We’re outsourcing more than we ever used to.

IM: What is your approach to ensuring you have a fully resourced security team, against a backdrop of a skills shortage?

SW: I won’t say we’ve already got a fully resourced team, we haven’t, and most organizations probably don’t.

For TUI it’s all about empowering our people. Our motto is security first in everything we do, and we want all of our colleagues to have security in front of mind in all of their activities.

We have an information security advisors’ network, people across the business who are passionate about security that can spread the word.

We also have security champions, and these are tech people that don't have infosecurity in their job title, but who represent the security requirements that we want within the technology teams.

Additionally, we use tooling, like SecurityScorecard, to try to make sure many people have access, get hands-on experience of them and actually see the results for themselves.

We’ve got a fairly distributed model. From a senior leadership perspective, we’ve even managed to get cybersecurity goals into our IT directors’ performance management objectives.

IM: What are your biggest concerns within cybersecurity today?

SW: We have quite a lot of incoming regulation and directives across Europe and for us NIS2 is very relevant as it has a focus on critical infrastructure, as we have airlines and cruise companies that are in scope of that regulation.

There are also the ongoing external threats, such as the increase in ransomware as a result of the war in Ukraine. TUI has not been hit particularly by ransomware, but the number of instances is certainly increasing. It’s not something that’s going to go away while people are paying the ransoms and there’s a continuing profit cycle.

As with most organizations we try to stay middle of the pack, you don't want to be the least performing in terms of cyber resilience, but you also don't really want to be the top because it probably means you're spending too much money.

IM: What are the biggest successes that you think the cybersecurity industry is experiencing today?

SW: I think one thing that's positive is the collaboration between our industry peers. It's phenomenally good in the cybersecurity industry. No matter what competitive differences there are, we will share best practices to help protect the crown jewels for each of our individual companies. I only see that increasing.

What’s hot on Infosecurity Magazine?